guidelines on risk management of electronic banking library/guidelines/guidelines … · guidelines...
TRANSCRIPT
GUIDELINES ON
RISK MANAGEMENT OF ELECTRONIC BANKING
(Issued under Section 49 of the Financial Services Commission Act, R.S.A. c. F28 as amended)
These guidance are directed toward the Boards of Directors and senior managements of licensees
under the Banking Act, R.S.A. c. B11 (insofar as their obligations specified in the Anti-Money
Laundering and Terrorist Financing Regulations, R.R.A. P98-1 (as amended) are concerned) and
the Trust Companies and Offshore Banking Act, R.S.A. c. T60 (particularly offshore banks).
Electronic banking can be defined as the process through which customers may perform banking
transactions electronically through networks and the internet via personal computers, laptops,
tablets, mobile phones and other devices.
The Commission endorses the principles and recommendations in the Basel Committee on
Banking Supervision paper entitled “Risk Management Principles for Electronic Banking” issued
July 2003 (http://www.bis.org/publ/bcbs98.pdf) and, in particular, Principle 4 dealing with the
appropriate measures to be taken by a licensee to authenticate the identity and authorization of
customers with whom it conducts business over the Internet.
This guidance comprises – as Appendix I and II - the Executive Summary of the BCBS paper
and the summarized principles. However, the attention of licensees’ Boards of Directors and
senior management is directed to the BCBS publication in its entirety, at the link identified in the
previous paragraph.
Approved by the Board
Anguilla Financial Services Commission
18 February 2014
5
Appendix II
Principle 1:
The Board of Directors and senior management should establish effective management oversight
over the risks associated with e-banking activities, including the establishment of specific
accountability, policies and controls to manage these risks.
Principle 2: The Board of Directors and senior management should review and approve the key aspects of
the bank's security control process.
Principle 3:
The Board of Directors and senior management should establish a comprehensive and ongoing
due diligence and oversight process for managing the bank's outsourcing relationships and other
third-party dependencies supporting e-banking.
Principle 4:
Banks should take appropriate measures to authenticate the identity and authorisation of
customers with whom it conducts business over the Internet.
Principle 5: Banks should use transaction authentication methods that promote non-repudiation and
establish accountability for e-banking transactions.
Principle 6:
Banks should ensure that appropriate measures are in place to promote adequate segregation of
duties within e-banking systems, databases and applications.
Principle 7: Banks should ensure that proper authorisation controls and access privileges are in place for e-
banking systems, databases and applications.
Principle 8:
Banks should ensure that appropriate measures are in place to protect the data integrity of e-
banking transactions, records and information.
Principle 9:
Banks should ensure that clear audit trails exist for all e-banking transactions.
Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking
information. Measures taken to preserve confidentiality should be commensurate with the
sensitivity of the information being transmitted and/or stored in databases.
6
Principle 11:
Banks should ensure that adequate information is provided on their websites to allow potential
customers to make an informed conclusion about the bank's identity and regulatory status of the
bank prior to entering into e-banking transactions.
Principle 12: Banks should take appropriate measures to ensure adherence to customer privacy requirements
applicable to the jurisdictions to which the bank is providing e-banking products and services.
Principle 13:
Banks should have effective capacity, business continuity and contingency planning processes to
help ensure the availability of e-banking systems and services.
Principle 14: Banks should develop appropriate incident response plans to manage, contain and minimise
problems arising from unexpected events, including internal and external attacks, which may
hamper the provision of e-banking systems and services.